Is data really that important to a business?
A quick survey of the top companies by market capitalisation readily reveals that data is key.
There is a patchwork of intellectual property rights and contract rights that may apply to data. Understanding the way in which these rights come into play enables a business to understand how its data assets can be protected, as well as to understand which data that are available publicly can be re-used.
Patent law is largely uniform across the world. Patent rights:
Data or a dataset per se are unlikely to bring about any specific technical effect, but ideas relating to data / a dataset, such as a new form of data structure, could be protected, provided that the new feature is inventive and brings about a technical effect.
In many jurisdictions copyright is an unregistered right. In Europe it does not need to be applied for or registered, while in the US, for example, registration is recommended. Copyright gives the right-holder the right to prevent copying and other acts (such as distribution and publication) by unauthorized parties.
The scope of subject-matter in which copyright can subsist is very wide, and is not confined to literary and artistic works, computer software, and graphical works.
It can potentially extend to any expression of the author's own intellectual creation, usually if fixed in a medium of some kind. In the EU a recent case confirmed that an author’s intellectual creation means the personality of its author, as an expression of the author’s free and creative choices.1
Some jurisdictions provide for specific protection in relation to databases beyond that which might be conferred by copyright.
EU and the UK
In the EU and the UK (which has in the past implemented EU law) there is a specific “database right” for databases that fall within the (narrow) definition within the Database Directive: being “a collection of independent works, data or other materials arranged in a systematic or methodical way and individually accessible by electronic or other means.”
The EU database right does not apply to unstructured datasets; and even some structured datasets may not fall within the definition. Most datasets used in the digital economy are in the form of unstructured datasets.
A database may attract the EU database right protection if there has been qualitatively and / or quantitatively a substantial investment in either the obtaining, verification or presentation of the contents. Investment made to create / generate data is irrelevant in this regard.4
It may not be easy to claim the EU database right in relation to some machine-generated datasets, if they are simply created data, rather than data comprised of observed facts.5 Unlike other intellectual property rights, the existence of an EU database right depends on the amount of investment (not necessarily financial) put into establishing the database.
The EU database right is an unregistered right and gives the right-holder the right to prevent unauthorized copying and publication of qualitatively and / or quantitatively substantial parts of a database (meaning that third parties may copy / publish insubstantial parts of it). Mere consultation of a database does not, by itself, constitute an infringement of the database right.
The right-holder needs to be based in Europe (or the UK, in relation to UK database rights - which are to apply for databases created after the end of the UK’s EU membership transition period).
A new Data Act is proposed by the EU Commission to revise the suitability of current laws related to rights in databases.
There is no specific legislation in Australia that provides for a “database right.”
Although the US may permit copyright registration or a creative selection or arrangement of data, there is no separate database right.
In common law jurisdictions the law of confidentiality (or trade secrets law, as it is sometimes known) provides a right to prevent use or disclosure of confidential information / trade secrets. That can include data that has the requisite degree of confidentiality. Some jurisdictions include additional statutory rights in relation to trade secrets.
EU and the UK
In the EU and the UK, for example, under the Trade Secrets Directive:
The implementation of EU Trade Secrets Directive has reinforced the right of trade secret holders in the EU and the UK by providing that:
Rights in trade secrets under EU law and the law of confidentiality at common law are unregistered rights and give the right-holder the right to prevent misappropriation of trade secrets. This does not include reverse engineering unless there is a relevant contractual measure preventing this (which may or may not be valid, depending on the law applicable).
A new Data Act is proposed by the EU Commission to revise suitability of current laws related to trade secrets covering data.
In 2016 the US enacted a federal trade secrets law, the Defend Trade Secrets Act (DTSA). DTSA’s definition of trade secret is “all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if: (a) the owner thereof has taken reasonable measures to keep such information secret; and (b) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information.”6
The DTSA does not pre-empt state trade secret laws, and injunctions under the DTSA may not conflict with state law prohibiting restraints on the practice of a lawful profession, trade or business.
Trade secrets are protected mainly under the PRC Anti-Unfair Competition Law, under which:
In Australia trade secrets are generally considered to be included as part of an organization’s confidential information. Similar to the EU law, these are unregistered rights which could be enforced under the common law rules of confidentiality.
The importance of confidentiality to trade and commerce is supported by various items of legislation. For example, the Freedom of Information Act 1982 (Cth) (which provides a mechanism for the access to certain information held by the Australian government) reinforces the rights of trade secret holders by providing that a document may be exempt from disclosure if its disclosure would disclose trade secrets.
Where the right-holder is minded to give access to the information to certain parties, non-disclosure agreements are often entered into, giving the right-holder contractual rights as against the recipient of the information to access and use it in a certain way, and would usually include a term that the recipient should keep the information confidential.
For more information on contractual issues in relation to sharing data, see Contractual Considerations in Sharing Data.
It is apparent from the foregoing that only limited types of data / datasets are capable of protection by intellectual property rights (and even less so in the case of property rights in general), and then only by a limited number of intellectual property rights in very specific circumstances.
For this reason, many businesses will wish to avoid such inherent uncertainties, and instead may place reliance on contractual controls. Contractual controls:
Contract is used to license use of datasets even though intellectual property rights may not in fact subsist in them. Contractual licensing terms:
In contracts providing for flows of data, it will be necessary to ensure that the “Consequences of Termination” clause in the contract or license provides for what happens on termination to the data, and any derived data based on the transferred data.
If data is shared, even on strict contract terms, there is a risk of permanent loss of control for the following reasons:
A well-drafted contract is generally easier to enforce compared with intellectual property rights because the data / datasets subject to the contract are more clearly defined. However, unlike intellectual property rights, contractual rights can only be asserted against parties to the contract.
Where information is made publicly available (for example, on the web), it would be prudent to implement measures requiring the user to accept the terms and conditions of the website before the user is allowed to access its contents. The enforceability of browser-wrap agreements have not yet generally been tested in most jurisdictions, and because the user is not requested to positively affirm the terms and conditions, data holders may find it difficult to enforce them.
Website owners could also implement the Robots Exclusion Protocol, which provides that webcrawling is not authorized, or copyprotect, making it difficult for users to copy and paste contents.
A quick survey of the top companies by market capitalisation readily reveals that data is key.
The value that can be gained from data by businesses will inevitably lead to an increase in the use of data to improve daily operations and to develop new products, services and processes.
In many jurisdictions pure information, or data, is not considered to be property. This is because a claim to property in intangible information presents obvious definitional difficulties.
There is a patchwork of different rights, intellectual property rights and contract rights that may apply to data. Understanding the way in which these rights come into play enables a business to understand how its data assets can be protected.
Disruptive technologies, such as AI, IoT, AVs, distributed ledger technology (DLT), cryptocurrencies and smart contracts, generate many different forms of data. What are the particular characteristics of such data, and to what extent can intellectual property rights or other rights protect them?
In this section, we review the EU’s position with regards to industrial and non-personal data and look at whether other jurisdictions have similar initiatives.
Data location laws (in relation to industrial and non-personal data) can be restrictive (as in banking secrecy laws, which may require some types of data to remain onshore or to be “localised”) or liberalising (as in laws that ban the prohibition of export of data from a locality).
In furtherance of the objective of leveraging existing datasets paid for by public funds, a number of jurisdictions have sought to make public sector information (PSI) available to industry.
The exclusive possession or control of data can have antitrust / competition law considerations, giving rise to access disputes.
The uncertain nature of intellectual property rights in data means that “contract is king” in data transactions.
Data is an incredibly valuable resource for businesses, enabling organisations to effectively operate and to make business improvements. In order to exploit this value most effectively, businesses must invest in good data management.
Errors, incompleteness or biases within data may flow through, and be amplified by, data analytics process outputs upon which a business's strategic and investment decisions may depend, potentially causing business losses. In this section we deal with liability arising out of use of data / datasets that are in some respect sub-optimal.